Add test for CA with RSA algorithm

A new test has been added to install CA with a non-default RSA
algorithm verify that the system certs and admin cert use the
same algorithm. The test will also issue an SSL server cert
and verify that the cert uses the same algorithm.

The tests for CA with ECC and RSA/PSS algorithms have also
been updated to perform the same validation.

.github/workflows/ca-ecc-test.yml

@@ -84,28 +84,78 @@ jobs:
 
       - name: Check CA signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-          docker exec pki openssl x509 -text -noout -in ca_signing.crt
+          docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Check CA OCSP signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
-          docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt
+          docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Check CA audit signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
-          docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt
+          docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Check subsystem cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt
-          docker exec pki openssl x509 -text -noout -in subsystem.crt
+          docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Check SSL server cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt
-          docker exec pki openssl x509 -text -noout -in sslserver.crt
+          docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Run PKI healthcheck
         run: docker exec pki pki-healthcheck --failures-only
@@ -121,11 +171,33 @@ jobs:
 
       - name: Check CA admin cert
         run: |
-          docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert
+          docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
-      - name: Check cert requests in CA
+          docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
+      - name: Check issuing SSL server cert
         run: |
-          docker exec pki pki -n caadmin ca-cert-request-find
+          docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh
+
+          docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output
+
+          echo "X9.62 ECDSA signature with SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
+          docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
+
+          echo "ecdsa-with-SHA512" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Gather artifacts
         if: always()

.github/workflows/ca-rsa-pss-test.yml

@@ -95,47 +95,77 @@ jobs:
 
       - name: Check CA signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_signing | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
           docker exec pki openssl x509 -text -noout -in ca_signing.crt | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
       - name: Check CA OCSP signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_ocsp_signing | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
           docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
       - name: Check CA audit signing cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n ca_audit_signing | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
           docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
       - name: Check subsystem cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n subsystem | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export subsystem --cert-file subsystem.crt
           docker exec pki openssl x509 -text -noout -in subsystem.crt | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
       - name: Check SSL server cert
         run: |
+          docker exec pki certutil -L -d /etc/pki/pki-tomcat/alias -f ${SHARED}/password.txt -n sslserver | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki pki-server cert-export sslserver --cert-file sslserver.crt
           docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
       - name: Run PKI healthcheck
@@ -152,15 +182,33 @@ jobs:
 
       - name: Check CA admin cert
         run: |
+          docker exec pki certutil -L -d /root/.dogtag/nssdb -n caadmin | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
           docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert | tee output
 
           echo "rsassaPss" > expected
-          sed -n "/^\s*Signature Algorithm:/ {s/^.*:\s*\(\S*\)\s*$/\1/p;q}" output > actual
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
           diff expected actual
 
-      - name: Check cert requests in CA
+      - name: Check issuing SSL server cert
         run: |
-          docker exec pki pki -n caadmin ca-cert-request-find
+          docker exec pki /usr/share/pki/tests/ca/bin/sslserver-create.sh
+
+          docker exec pki certutil -L -d /root/.dogtag/nssdb -n sslserver | tee output
+
+          echo "PKCS #1 RSA-PSS Signature" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
+
+          docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
+
+          echo "rsassaPss" > expected
+          sed -n -e "s/\s*$//" -e "s/^\s*Signature Algorithm:\s*\(.*\)$/\1/p" output | uniq > actual
+          diff expected actual
 
       - name: Gather artifacts
         if: always()